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Abstract. This paper is concerned with the computational complexity of equivalence 
and minimisation for automata with transition weights in the ring Q of rational numbers. 
We use polynomial identity testing and the Isolation Lemma to obtain complexity bounds, 
focussing on the class NC of problems within P solvable in polylogarithmic parallel time. 
For finite Q-weighted automata, we give a randomised NC procedure that either outputs 
that two automata are equivalent or returns a word on which they differ. We also give an 
NC procedure for deciding whether a given automaton is minimal, as well as a randomised 
NC procedure that minimises an automaton. We consider probabilistic automata with 
rewards, similar to Markov Decision Processes. For these automata we consider two notions 
of equivalence: expectation equivalence and distribution equivalence. The former requires 
that two automata have the same expected reward on each input word, while the latter 
requires that each input word induce the same distribution on rewards in each automaton. 
For both notions we give algorithms for deciding equivalence by reduction to equivalence of 
Q-weighted automata. Finally we show that the equivalence problem for Q-weighted visibly 
pushdown automata is logspace equivalent to the polynomial identity testing problem. 



Probabilistic and weighted automata were introduced in the 1960s, with many fundamen- 
tal results established in the papers of Schutzenberger [23] and Rabin [21l- Nowadays 
probabilistic automata are widely used in automated verification, natural-language pro- 
cessing, and machine learning. In this paper we consider weighted automata over the ring 
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* This is a full and improved version of the FoSSaCS'12 paper with the same title. An algorithm from the 
same authors' CAV'll paper [15] was incorporated in Section [3. II and new algorithms for minimisation were 
added in Section 3] Section [5. II is also new. 
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(Q,+,-,0, 1), which generahse probabihstic automata. Note that we restrict to rational 
transition weights to permit effective representation of automata. 

Two Q-weighted automata are said to be equivalent if they assign the same weight to 
any given word. It has been shown by Schutzenberger [23] and later by Tzeng [28] that 
equivalence for Q-weighted automata is decidable in polynomial time. By contrast, the 
natural analog of language inclusion, that one automaton accepts each word with weight at 
least as great as another automaton, is undecidable [9]. Let us emphasize that we consider 
the standard ring structure on Q. For example, for weighted automata over the max-plus 
semiring on Q, equivalence is undecidable [21 [18]. 

In this paper we show that the equivalence problem for Q-weighted automata, and 
various extensions thereof, can be efficiently solved by techniques rooted in polynomial 
identity testing. We focus on establishing bounds involving complexity classes within the 
class P of polynomial-time solvable problems. In particular, we consider the class NC of 
problems solvable in polylogarithmic parallel time with polynomially many processors [13] 
(see Section [2] for background on complexity theory). 

It has long been known that equivalence for Q-weighted automata can be solved in 
polynomial time [23^ [28] . There is moreover an NC algorithm for solving equivalence [29] . 
Our first contribution, in Section [3l is a randomised NC algorithm for deciding equivalence, 
based on polynomial identity testing. The advantage of using randomisation in this context 
is that our algorithm has much lower processor complexity than [29j. The latter performs 
quadratically more work than the classical sequential procedure. On the other hand, our 
randomised algorithm compared well with the classical sequential algorithm of [23[ [28] on 
a collection of benchmarks [15] . 

We also show that our algorithm can be used not just to decide equivalence but also 
to generate counterexamples in case of inequivalence. However the counterexample gener- 
ation is essentially sequential. We address this deficiency by giving a second randomised 
NC algorithm to decide equivalence of automata and output counterexamples in case of 
inequivalence. The algorithm is based on the Isolation Lemma, a classical technique in 
randomised algorithms that has previously been used, e.g., to derive randomised NC algo- 
rithms for matching in graphs [20]. Whether there is a deterministic NC algorithm that 
outputs counterexamples in case of inequivalence remains open. 

A Q-weighted automaton is minimal if no equivalent automaton has fewer states. Min- 
imal automata are unique up to change of basis. In Section [H we give an NC procedure 
to decide if a given automaton is minimal. For the associated function problem, that of 
minimising a given automaton, we give a randomised NC procedure. Thus the situation 
for minimisation is similar to that for equivalence: the decision problem is in NC whereas 
the function problem can only be shown to be in RNC. 

In Section [5] we consider probabilistic automata with rewards on transitions, which can 
be seen as partially observable Markov decision processes. Rewards (and costs, which can 
be considered as negative rewards) are omnipresent in probabilistic modelling for capturing 
quantitative effects of probabilistic computations, such as consumption of time, allocation 
of memory, energy usage, etc. For these automata we consider a notion of expectation 
equivalence, requiring that two automata have the same expected reward on each input word, 
and a stronger notion of distribution equivalence, requiring that each word induce the same 
distribution on rewards in both automata. In both cases we give decision procedures for 
equivalence by reduction to the case of Q-weighted automata, thus inheriting the complexity 
bounds established there. 
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We present a case study in which costs are used to model the computation time required 
by an RSA encryption algorithm, and show that the vulnerability of the algorithm to timing 
attacks depends on the equivalence of associated probabilistic reward automata. In jl7] 
two possible defenses against such timing leaks were suggested. We also analyse their 
effectiveness. 

In Section [6] we consider pushdown automata. Probabilistic pushdown automata are 
a natural model of recursive probabilistic procedures, stochastic grammars and branching 
processes [121 I19j . The equivalence problem for deterministic pushdown automata has 
been extensively studied [261 127]. We study the equivalence problem for Q-weighted visibly 
pushdown automata (VPA) [3]. In a visibly pushdown automaton the stack operation of a 
given transition — whether to pop or push — is determined by the input symbol being read. 

We show that the equivalence problem for Q-weighted VPA is logspace equivalent to 
Arithmetic Circuit Identity Testing (ACIT), which is the problem of determining equiva- 
lence of polynomials presented via arithmetic circuits [IJ. Several polynomial-time random- 
ized algorithms are known for ACIT, but it is a major open problem whether it can be 
solved in polynomial time by a deterministic algorithm. A closely related result is that of 
Seidl [25], that equivalence of Q-weighted tree automata is decidable in randomised poly- 
nomial time. However |25j does not establish a connection with ACIT in either direction. 

2. Preliminaries 

2.1. Complexity Classes. Recall that NC is the subclass of P comprising those problems 
considered efficiently parallelisable. NC can be defined via parallel random-access machines 
(PRAMs), which consist of a set of processors communicating through a shared memory. 
A problem is in NC if it can be solved in time (logn)'-^(^) (polylogarithmic time) on a 
PRAM with n^^^^ (polynomially many) processors. A more abstract definition of NC is 
as the class of languages which have L-uniform Boolean circuits of polylogarithmic depth 
and polynomial size. More specifically, denote by NC*^ the class of languages which have 
circuits of depth 0(log*' n). The complexity class RNC consists of those languages with 
randomized NC algorithms. We have the following chain of inclusions, none of which is 
known to be strict: 

NC^ C L C NL C NC^ C NC C RNC n P C P . 

We also have NC*= C SPACE (O (log''' n)), that is, problems in NC are solvable in polylog- 
arithmic space. 

Problems in NC include reachability in directed graphs, computing the rank and deter- 
minant of an integer matrix, solving linear systems of equations, and the Tree Isomorphism 
problem. Problems that are P-hard under logspace reductions include Circuit Value and 
Max Flow. Such problems are not in NC unless P = NC. Problems in RNC n P include 
matching in graphs and max flow in 0/1- valued networks. In both cases these problems 
have resisted classification as either being in NC or P-hard. See [13j for more details about 
NC and RNC. 
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2.2. Linear Algebra. Given an m x n matrix A = {aij) and a k x I matrix B = {bij), the 
Kronecker product B is an km x nl matrix defined by 

aiiB ■ ■ ■ ainB 



A(g)B 



a-miB 



^m.ii. B 



The following is a key property of the Kronecker product: 

{AC ® BD) for matrices A, B, C, D of appropriate 



Proposition 2.1. {A®B){C®D) 
dimensions. 

Given two m x n matrices A = (aij) and B 
is the m X n matrix defined by Cij = aijbij. 



) , the Hadamard product C = A Q B 



2.3. Laurent Polynomials. A Laurent polynomial in variables ti, . . . ,t„ with coefficients 
in Q is an expression of the form p = X^jgj aif^ ■ ■ - t^n^ where / C is a finite set and aj € 
Q. We say that p has degree bound d if |zi | + . . . + < d. We write Q[ti, t^^, . . . ,tn, t^^] 
for the ring of such polynomials, with the usual addition and multiplication operations; 
we furthermore write Q{ti,t^^, . . . ,tn,t^^) for the corresponding field of fractions, whose 
elements are quotients of Laurent polynomials. 

The following proposition immediately follows from the cofactor formula for matrix 
inversion. 

Proposition 2.2. Let M be anmxm matrix with entries in Q[ti, t^^ , . . . , tn,t^^] of degree 
bound d. If det(/ — M) ^ 0, then I — M is invertible over Q(ti, . . . ,tn, t^^), and each 
entry of {I — M)~^ can be represented as the quotient of Laurent polynomials, each of degree 
bound at most md. 

In the situation of Proposition 12.21 we denote (/ — M)~^ by M* . 



3. Equivalence of Q- Weighted Automata 

Given a field (F, +,-,0, 1), an ^-weighted automaton A = {n,Ti,M,cx,ri) consists of a 
positive integer n G N representing the number of states, a finite alphabet S, a map 
M : E — 7> F""^" assigning a transition matrix to each alphabet symbol, an initial (row) 
vector Q G F", and a final (column) vector 77 G F". We extend M to S* as the matrix 
product M((Ti . . . (Tfe) := M{ai) ■ . . . ■ M{ak)- The automaton A assigns to each word w a 
weight A{w) G F, where A{w) := aM{w)r]. An automaton A is said to be zero if A{w) = 
for all w G S*. Two automata B,C over the same alphabet E are said to be equivalent if 
B{vu) = C{vu) for all w G S*. 

Given two automata B,C that are to be checked for equivalence, one can compute an 
automaton A with A{w) = B{w) —C{w) for all G S*. Then A is zero if and only if B and C 
are equivalent. Given B = (n(^), S, M(^), q^'^), ry^^)) and C = (n(^), S, M(^), q;(^), t?^^)), set 
A = (n, E, M, Q, ri) with n := n^^^ + n^''^ and 

This reduction allows us to focus on zeroness, i.e., the problem of determining whether a 
given F-weighted automaton is zero. (Since transition weights can be negative, zeroness is 
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not the same as emptiness of the underlying unweighted automaton.) Note that a witness 
word w gT,* against zeroness of A is also a witness against the equivalence of B and C. 

In the remainder of this section we present two randomised NC^ algorithm algorithms 
for deciding equivalence of Q- weighted automata. The following result from [28J immediately 
implies decidability of testing zeroness, and hence equivalence, of Q-weighted automata. 

Proposition 3.1. Let ¥ be any field and A = {n,Ti,M,a.,ri) an ¥-weighted automaton. 
Then: (i) span{Q!M(u;) : w G S*} = span{Q;M(t/;) : w € S^"}; (ii) if A is not equal to the 
zero automaton then there exists a word w G T,* of length at most n — 1 such that A{w) ^ 0. 



3.1. Algorithm Based on the Schvi^artz-Zippel Lemma. By Proposition 13.11 a Q- 
weighted automaton with n states is zero if and only if its n-bounded language is zero, that 
is, it assigns weight zero to all words of length at most n. Inspired by the work of Blum, 
Carter and Wegman on free Boolean graphs [5], we represent the n-bounded language of an 
automaton by a polynomial in which each monomial represents a word and the coefficient of 
the monomial represents the weight of the word. We thereby reduce the zeroness problem to 
polynomial identity testing, for which there are a number of efficient randomised procedures. 

Let A = (n, S, M, a, ij) be a Q-weighted automaton. We introduce a family of variables 
X = {X(j i '. <j G S, 1 ^ i ^ Ti} and associate the monomial 3Jiiix,i-^t02,2 • • • -^Wkjk 

with a word 

w = wiW2 ■ ■ - Wk of length k < n. Then we define the polynomial P{x) by 

n-l 

P{x):='^ A{w) ■ Xwi,iXw^^2 ■ ■ ■ Xujk,k ■ (3.1) 

It is immediate from Proposition 13. II that P{x) = if and only if A is zero. 

To test whether P{x) = we select a value for each variable Xa,i independently and 
uniformly at random from a set of integers of size Kn, for some constant K. Clearly if 
P{x) = then this yields the value 0. On the other hand, if P{x) ^ then P will evaluate 
to a nonzero value with probability at least {K — 1)/K by the following result of De Millo 
and Lipton [IT] , Schwartz [24] and Zippel [30] and the fact that P has degree n — 1. 

Theorem 3.2 ([m [Ml [30]). Let ¥ be a field and Q(xi, . . . , x„) G F[ Xi, . . . , x„] a multi- 
variate polynomial of total degree d. Fix a finite set S C F, and let ri, . . . ,r„ be chosen 
independently and uniformly at random from S. Then 

Pr[Q(ri,...,r„) = I Q(xi, . . . , x„) ^ 0] < . 



While the number of monomials in P is proportional to i.e., exponential in n, 

writing 

(n i \ 
j=o j=i o-es ) 

it is clear that P can be evaluated on a particular set of numerical arguments in time poly- 
nomial in n. The formula (|3.2p can be evaluated in a forward direction, starting with the 
initial state vector ct and post-multiplying by the transition matrices, or in a backward 
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Algorithm ZERO 

Input: Automaton A = {n,T,, M, a, rj) 

if a?7 7^ 

return "ar? = A{e) / 0" 
V := T) 

for i from 1 to n do 

choose a random vector r G {1, 2, . . . , ii'n}^ 

if at? / 

return "3it; with = i such that A{w) ^ 0" 
return is zero with probabihty at least {K — 1)/-?^" 

Figure 1: Algorithm for testing zeroness 

Algorithm ZERO + CEX 

Input: Automaton ^ = (n, S, M, a, rf) 

if Q:?7 7^ 

return "ar? = ^(e) / 0" 
i7o := r/ 

for i from 1 to n do 

choose a random vector r € {1, 2, . . . , i^n}^ 

- (E.es K^)M(ct)) 
if at^i 7^ 
w := e 
u := a 

for j from i downto 1 do 

choose cr G S with uM{a)vj^i ^ 

w := t«cr 

It := uM{a) 
return "ti?7 = ^(if) 7^ 0" 
return is zero with probability at least {K — 1)/K" 

Figure 2: Algorithm for testing zeroness, with counterexamples 

direction, starting with the final state vector 77 and pre-multiplying by the transition ma- 
trices. In either case we get a polynomial-time Monte-Carlo algorithm for testing zeroness 
of Q- weighted automata. The backward variant is shown in Figure [TJ 

The algorithm runs in time 0(n • |M|), where \M\ is the number of nonzero entries in 
all M((t), provided that sparse-matrix representations are used. In a set of case studies this 
randomised algorithm outperformed deterministic algorithms |15j . 

We can obtain counterexamples from the randomised algorithm by exploiting the self- 
reducible structure of the equivalence problem. We generate counterexamples incrementally, 
starting with the empty string and using the randomised algorithm as an oracle to know at 
each stage what to choose as the next letter in our counterexample. For efficiency reasons 
it is important to avoid repeatedly running the randomised algorithm. In fact, as shown in 
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Figure O this can all be made to work with some post-processing following a single run of 
the randomised procedure. 

To evaluate the polynomial P{x) we substitute a set of randomly chosen rational values 
r = {va^i : 0" € S, 1 < i < n} into Equation (j3.2p . Here we generalize this to a notion 
of partial evaluation Pwij") of polynomial P with respect to values r and a word w E S"^, 
m < n. We define 

P^(r) = «MH fl j;r.,,M(a) U. (3.3) 

Notice that Peir) = P{r), where e is the empty word, and, at the other extreme, Pwif) = 
A{w) for any word w of length n. 

Proposition 3.3. Suppose that w € S™, where m < n. If Pw{r) ^ then either A{w) ^ 
or Pwaif) / for some fi E S. 

Proof. We prove the contrapositive: if A{w) = and Pwaif) = for each a £ T,, then 
Pwif) = 0. This immediately follows from the equation 

crgE 

This equation is established from the definition of Pwif) as follows: 
PUf) = aMiw)lj2 II E^-.J-^^(^))^ 

\i=m j=m+l (t6S / 

= Aiw) + aMiw)i Y ri E'^-.J-^^(^))^ 

= Aiw) + Y ra,m+i olM iwa) { Y HE ^'^J ) ^ 

= >l(w;) + ^r^,m+i P^„^(r) . □ 
o-es 

From Proposition 13.31 it is clear that the algorithm in Figure [2] generates a counterex- 
ample trace given r such that Pif) ^ 0. 

The algorithm in Figured] can be parallelised, yielding an RNC algorithm, as iterated 
products of matrices can be computed in NC. On the other hand, the algorithm in Fig- 
ure [2] yields a counterexample, but apparently cannot be parallelised efficiently because the 
counterexample is produced incrementally. 

3.2. Algorithm Based on the Isolating Lemma. We now develop a randomised NC^ 
procedure that can produce a counterexample in case of inequivalence. To this end we 
employ the Isolating Lemma of Mulmuley, Vazirani and Vazirani |20] . We use this lemma 
in a very similar way to [20J, who are concerned with computing maximum matchings in 
graphs in RNC. 
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Lemma 3.4. Let be a family of subsets of a set {xi, . . . , xn}- Suppose that each element 
Xi is assigned a weight Wi chosen independently and uniformly at random from {1, . . . , 2A^}. 
Define the weight of S ^ J- to be Ylx es'^^^' '^hen the probability that there is a unique 
minimum weight set in T is at least 1/2. 

We will apply the Isolating Lemma in conjunction with Proposition 13.11 to decide ze- 
roness of a Q- weighted automaton A. Suppose A has n states and alphabet S. Given cr S S 
and 1 < i < n, choose a weight Wi^a independently and uniformly at random from the set 
{1, . . . , 2|S|n}. Define the weight of a word u = ai . . . ak, k < n, to be wt(ii) := Yli=i ^«,o-i- 
(The reader should not confuse this with the weight A{u) assigned to u by the automa- 
ton A.) Then we obtain a univariate polynomial P from automaton A as follows: 

n 

If A is equivalent to the zero automaton then clearly P = 0. On the other hand, if 
A is non-zero, then by Proposition 13.11 the set J-" = {u € : A{u) ^ 0} is non-empty. 
Thus there is a unique minimum- weight word u ^ T with probability at least 1/2 by the 
Isolating Lemma. In this case P contains the monomial a;™*^") with coefficient A{u) as its 
smallest-degree monomial. Thus -P ^ with probability at least 1/2. 

It remains to observe that from the formula 

P(rc)=«lf;n^M(a)x--)r, 

yi=oj=io-gs j 

and the fact that iterated products of matrices of univariate polynomials can be computed in 
NC^ [To] we obtain an RNC algorithm for determining zeroness of Q-weighted automata. 

It is straightforward to extend the above algorithm to obtain an RNC procedure that 
not only decides zeroness of A but also outputs a word u such that A{u) 7^ in case A is 
non-zero. Assume that A is non-zero and that the random choice of weights has isolated 
a unique minimum-weight word u = a\ . . . such that A{u) 7^ 0. To determine whether 
cr G S is the i-th letter of u we can increase the weight Wi^^ by 1 while leaving all other 
weights unchanged and recompute the polynomial P{x). Then a is the i-th letter in u if 
and only if the minimum-degree monomial in P changes. All of these tests can be done 
independently, yielding an RNC procedure. 

Theorem 3.5. Given two Q-weighted automata A and B, there is an RNC procedure 
that determines whether or not A and B are equivalent and that outputs a word w with 
A{w) / B{w) in case A and B are inequivalent. 

From a practical perspective, the algorithm is less efficient than those from the previous 
subsection, as it requires computations on univariate polynomials rather than on mere 
numbers. 

4. Minimisation of Q- Weighted Automata 

A Q-weighted automaton is minimal if there is no equivalent automaton with strictly fewer 
states. It is known that minimal automata are unique up to a change of basis [7j. In this 
section we give an NC algorithm to decide whether a given Q-weighted automaton A is 
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minimal. We also give an RNC algorithm that computes a minimal automaton equivalent 
to a given Q-weighted automaton A. 

4.1. Deciding Minimality. Let A = {n,Ti,M,Q.,ri) be an automaton. Define the (infi- 
nite) matrix F to have rows indexed by S* and columns indexed by {1, . . . , n}, with the row 
indexed hy w (zT,* being the vector aM{w). The forward space F is defined to be the row 
space of F. Similarly define the matrix B to have rows indexed by {1, . . . , n} and columns 
indexed by S*, with the column indexed hy w € T,* being the vector M{w)r]. The backward 
space B is defined to be the column space of B. The product H = FB is called the Hankel 
matrix; it has rows and columns indexed by S* with H^^y = OLM{x)M{y)'q = A{xy). By 
linear algebra we have rank(i7) < min{rank(F), rank(i?)} < n. A fundamental result [7] is 
that the above inequalities are tight precisely when A is minimal: 

Proposition 4.1 (Carlyle and Paz). An automaton A with n states is minimal if and only 
if the Hankel matrix H has rank n. 

Using this result we show 

Theorem 4.2. Deciding whether a Q-weighted automaton is minimal is in NC. 

Proof. To check that a given automaton A= (n, S, M, ct, 77) is minimal it suffices to verify 
that the associated Hankel matrix H has rank n. Since H = FB, this holds if and only if 
the matrices F and B both have rank n. We show how to check that F has rank n; the 
procedure for B is entirely analogous. 

Let F be the sub-matrix of F obtained by retaining only those rows indexed by words 
in S*^". By Proposition 13.1( 1) we have rank(F) = rank(F). Thus 

rank(F) = n 44> rank(F) = n 
^ ker(F) = {0} 
<^ ker(F^F) = {0} 
^ det{F^F) ^ . 

The middle equivalence holds because for any vector x € Q", F'^Fx = implies = 
F'^ Fx = {Fx)^Fx, which in turn implies that Fx = 0. 
Since determinants can be computed in NC it only remains to show that we can 
compute each entry of the n x n matrix F^F in NC. Let Cj G Q" be the column vector 
with 1 in the i-th position and in all other positions. Given 1 < i, j < n we have 

(F^F)ij = Yl {(^M{w)ei){cxM{w)e,) 



Y {ct(S)Oi){M{w) (g) M{w)){ei(g)ej) 



'n-l 



\fc=o«,es'= / 
(Q«)a) j ^ ( ^(Af(a) 0M(cj)) ] |(ei«)e 

\fc=0 VtreS / / 
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Algorithm Forward-Basis 

Input: Automaton A = (n, S, M, a, rf) and error parameter K 

for i from 1 to n do 

choose a random vector r^*) € {1, 2, . . . , i^n}^^" 
Vi := p{r^'^) 

let k be maximum such that . . . , v^} is hnearly independent 
return "{vi, . . . , tJfc} is a basis of F" 

Figure 3: Algorithm for generating a basis of the forward space 

But this last expression can be computed in NC since sums and matrix powers can be 
computed in NC [lO]. □ 



4.2. Minimising an Automaton. Next we give an RNC algorithm to minimise a given 
automaton. The key idea is that we can compute a basis of the forward space F by generating 
random vectors in the space. We show that a randomly generated set of such vectors of 
cardinality equal to the dimension of F is likely to be a basis of F. We can likewise compute 
a basis of the backward space B. We give the construction of the forward space; the proof 
for the backward space is similar. 

The construction involves an application of polynomial identity testing in similar man- 
ner to Section [3.11 Consider again a family of variables x = {x^^^i : a € S, 1 < i < n} and 
associate the monomial a;^j^ia;^2.2 • • • Xwk,k with a word w = W1W2 ■ ■ ■ Wk- Then we define 
the row vector p{x) G Qfa;]"" by 

n 

(4.1) 

Note that evaluating p{x) at a vector of rationals r = {r^^i laGS, l<i<n) yields a 
vector p[r) in the forward space F. 

Proposition 4.3. Let \} he a proper subspace of F and let K be a positive integer. Then 
for r chosen uniformly at random from {1, . . . , Kn}^^"' we have Pr(/9(r) € U) < 1/K. 

Proof. Pick a non-zero vector i; € F that is orthogonal to U. Notice that the polynomial 
p(x)v'^ is non-zero since the coefficient of the monomial corresponding to a word w € T,^^ is 
aM{w)v'^, and this is clearly non-zero for at least one w. Now p{r) € U only if p{r)v'^ = 0. 
Since p{x)v^ has degree at most n, it follows from Theorem 13.21 that Pr(/j(r) S U) is at 
most l/K. □ 

The procedure to generate a basis for the forward space F is shown in Figure [3l The 
algorithm Forward-Basis necessarily returns a linearly independent set of vectors in the 
forward space. It only fails to output a basis if Vm+i £ span{i>i, . . . ,Vm} for some m < 
dim(F). By Proposition 14.31 this happens with probability at most 1/K for any given m, so 
the total probability that Forward-Basis does not give a correct output is at most n/K. 
Thus, e.g., choosing K = 3n we have an error probability of at most 1/3. 

It remains to observe that Forward-Basis can be made to run in O(log^n) parallel 
time. We perform the assignments Vi := p{r^'^^) for i = 1, . . . ,n in parallel. As observed 
in Section [3.H the computation of p{r^^^) involves an iterated matrix product, which can 



ON THE COMPLEXITY OF EQUIVALENCE AND MINIMISATION FOR Q- WEIGHTED AUTOMATA 11 



be done in O(log^n) parallel time. We also check linear independence of {vi, . . . ,Vk} for 
k = 1, . . . , n in parallel. Each check involves computing the rank of an A; x n matrix, which 
can again be done in 0(log^ n) parallel time [14j. 

Given bases of F and B, minimisation proceeds via a classical construction of Schiitzen- 
berger [23]. We briefly recall this construction and show that it can be implemented in 
NC by making one call to algorithm Forward-Basis and one call to the corresponding 
backward version of this algorithm. 

Let 7f G N and F G Q" ^" be such that the rows of 'f form a basis of the forward 
space F, with the first row of ^ being a. Similarly, let tjT G N and ^ 

g Qnxfc such that 

the columns of ^ form a basis of the backward space B, with the first column of ^ being 
rj. Since FM{a) C F and M{a)B C B for all a G S, there exist maps M : S ^ Q^'^^ and 

^M(cj) = A^{a)'f and M(a)^ = ^Ivf (a) for all a G E. (4.2) 

Can ^ := {lt,E,Jl,ei,fri) a forward reduction of A with base 'P' and similarly := 
C^, E, %I, cxS , ef) a backward reduction of A with base ^ . 

Proposition 4.4 ( [23]). Let A be an automaton. Then A is minimal and equivalent to A. 

Theorem 4.5. There is an RNC algorithm that transforms a given automaton into an 
equivalent minimal automaton. 

Proof. Let A = (n,!^, AI,a,ri) be an automaton. We have already shown that we can 
compute in randomised NC a matrix ^ whose rows form a basis of the forward space of 
A. Given we can compute the forward reduction ^ in NC since each transition matrix 
M(cj) is uniquely defined as the solution to the linear system of equations (j4.2p . Using 

the same reasoning we can compute A from ^ in randomised NC. This is the minimal 
automaton that we seek. □ 



5. Probabilistic Reward Automata 

In this section we consider probabilistic reward automata, which extend Rabin's probabilistic 
automata [21] with rewards on transitions. The resulting notion can be seen as a type of 
partially observable Markov Decision Process [3]. A similar model has been investigated 
from the point of view of language theory in [8]. Rewards are allowed to be negative, in 
which case they can be seen as costs. In Example 15.51 we use costs to record the passage of 
time in an encryption protocol. 

A Probabilistic Reward Automaton is a tuple A = (n, s, S, M, R, a, 77), where n G N is 
the number of states; s G N is the number of types of reward; S is a finite alphabet, M{a) 
is an n X n rational sub-stochastic matrix for each a G S; R{cr) is an n x n matrix with 
entries in {—1,0, 1}'^ for each cj G S; a is an n-dimensional rational stochastic row vector; 
?7 is a rational n-dimensional column vector with all entries lying in the interval [0, 1]. We 
think of M(a) as the transition matrix, R{cr) as the reward matrix, a as the initial-state 
vector, and rj as the final-state vector. 

The total reward of a run is the sum of the rewards along all its transitions. The 
expected reward of a word is the sum of the rewards of all runs over that word, weighted by 
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their respective probabihties. FormaUy, given a word w = wi, . . . ,Wk and a path of states 
p = Pq, . . . ,Pk, the probabihty and total reward of the path are respectively defined by 
/ fc \ k 

Pr(p) = n^(^)p-i'P' ^Pfc Reward(p) = ^R{wi)p^_^,p^ . 

\i=l / i=l 



The value of the word w is the expected reward over all runs: 
•^{w) = Pr(p) • Reward(p) . 

pG{l,...,n}'=+l 



(5.1) 



5.1. Expectation Equivalence. Two probabilistic reward automata A and B over the 
same alphabet S are defined to be equivalent in expectation if A{w) = B{w) for all words w G 
S*. In this section we give a simple reduction of the equivalence problem for probabilistic 
reward automata to the equivalence problem for Q-weighted automata. The idea is to 
combine transition probabilities and rewards in a single matrix. Without loss of generality 
we consider automata with a single type of reward; the general problem can be reduced to 
this by considering each component separately. 

Let A = {n,T,,M,R,a,T]) be a probabilistic reward automaton. We define a Q- 
weighted automaton B = {2n,T,, M' ,a' ,r]') such that A{w) = B{w) for each word w G S*. 
First we introduce the following matrices: 



A=[l 



E 




1 



c 



1 




We also write In for the n x n identity matrix. Now we define 



a 



V 

M'ia) 



-- a® A 
-- rj^E 

-- {M{a)^l2) + {iM{a)QR{a))®C) 
where (8) denotes Kronecker product and denotes Hadamard product (cf. Section [2^2 
Proposition 5.1. A{w) = B{w) for all words w € S*. 
Proof. We show by induction that for all words w (zTi* we have 



M'{w) = {M{w) (g) h) + 




{M{w'){M{a) R{a))M{w")) C 



(5.2) 



The base case, w = e, \s clear. For the induction step we have 
M'{wa) = M'{w)M'{(t) 

= {M{w) h){M{a) h) + {M{w) h){{M{cj) R{cj)) C) 



+ \ 



w=w' aw" 



{M{w'){M{a) R{a))M{w")) C {M{a) 



+ {M{w'){M{a)QR{a))M{w"))®c\{{M{a)QR{a))®C) 



w=w aw 
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But using Proposition 12.11 and the identity = 0, the above expression simphfies to 
{M{wa) h) + I Yl {M{w'){M{a)QR{a))M{w"))(^c\ . 



wa=w aw 



This completes the induction step. 

Using Proposition 12.11 and the fact that AE = and ACE = Ii it follows from (15.2 

that 

B{w) = a'M'(w)r]' = ^ a{M{w'){M{a) R{a))M{w"))r] 



w',w" 
w=w'aw" 



i=l pe{l,...,n}'=+i \ i=i 



But the equivalence of the above expression and (15. ip follows from distributivity of multi- 
plication over addition. □ 

Corollary 5.2. Expectation equivalence of probabilistic reward automata can be decided in 
NC. Moreover there is an RNC procedure that determines whether or not two automata 
are equivalent and outputs a word on which they differ in case they are inequivalent. 

Proof. The first part follows by combining Proposition 15.11 with the NC algorithm for 
Q- weighted automaton equivalence in |29j. The second part follows by combining Proposi- 
tion [5T] with Theorem 13.51 □ 



5.2. Distribution Equivalence. Two probabilistic reward automata are called distribu- 
tion equivalent if they induce identical distributions on rewards for each input word w € E*. 
We formalise this notion by translating probabilistic reward automata into Q-weighted au- 
tomata over the field F = Q(ti, f^^, . . . , t<j, t^-^) of rational Laurent functions, as defined in 
Section [2l We consider e-transitions in this section because they are convenient for applica- 
tions (cf. Example 15. 4|) and because we cannot rely on existing e-elimination results in the 
presence of rewards. 

Let A = {n,s,T,,M,R,a,ri) be a probabilistic reward automaton, where e € S. To 
make e-elimination more straightforward, we assume that the transition matrix M{e) has 
no recurrent states, i.e., that its spectral radius is strictly less than one. We now define an 
F-weighted automaton A' = {n,T,, M' ,a,r]) as follows. For 1 < i,j < n, let M'{a)i,j = 
at^^ . . . ,tg% where M{a)ij = a and R{a)ij = (fci, . . . , ks). We extend M' to a map M' : 
S* F*"^" by defining 

M'{w) := M'{e)*M'{wi)M'{e)* • • • M'(w„)M'(e)* (5.3) 

for a word w = wi . . . Wm- Our convention on e-transitions implies that det(I — M'(e)) ^ 
and therefore, by Proposition 12.21 that Af'(e)* is well-defined and has entries whose 
numerators and denominators are Laurent polynomials with degree bound sn. It follows 
that the entries of M'{w) have degree bound {sn + l)m. 
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Two probabilistic reward automata B, C over the same alphabet S and with the same 
number of reward types are said to be equivalent if the corresponding F-weighted au- 
tomata B' and C are equivalent, i.e., B'{w) = C'{w) for all words w € S*. Now Propo- 
sition 13.11 implies that equivalence for F-weighted automata is decidable, but the algo- 
rithms of Schiitzenberger |23j and Tzeng [28] do not yield polynomial-time procedures 
in our case because the complexity of solving systems of linear equations over the field 
Q(ti, . . . , ts, t^^) is not polynomial in s (indeed the solution need not have length ex- 
ponential in s). However, it not difficult to give a randomised polynomial-time algorithm 
to decide equivalence of probabilistic reward automata. 

Let A' be the F-weighted automaton corresponding to a probabilistic reward automaton 
A with n states. For each word ti; S S* of length at most n we have a rational function 
A!{w) whose numerator and denominator are polynomials of degree at most d := [sn + l)n, 
as observed above. Now consider the set R := {1, 2, . . . , 2d}'^. Suppose that we pick 
r ^ R uniformly at random. Denote by A'{w){r) the result of substituting r for the formal 
variables ti, . . . ,ts in the rational function A'{w). Clearly if A' is a zero automaton then 
A'{w){r) = for all r & R. On the other hand, if A' is non-zero then by Proposition 13.11 
there exists a word w £ T,* of length at most n such that A'{w) ^ 0. Since the degree of 
the rational expression A'(w) is at most d it follows from the Schwartz-Zippel theorem [11^ 
[MIE^ that the probability that A{w){r) = is at most 1/2. 

Thus our randomised procedure is to pick r £ R uniformly at random and to check 
whether A{'w){r) = for some w £ 'S*. To perform this final check we show that there 
is a Q-weighted automaton B such that A'{w){r) = B{w) for all w £ T,*. Then check 
B for zeroness using, e.g., Tzeng's algorithm [28]. The automaton B has the form B = 
(n(^),S,M('^),Q(^),r7(^)), where n(^) = n, q^^) = a, r]^^^ = rj and M^^\a) = M{a){r) 
for all cj G S. 

Theorem 5.3. There is an RNC procedure that determines whether or not two probabilistic 
reward automata are distribution equivalent, and which outputs a word on which they differ 
in case they are inequivalent. 

Example 5.4. We consider probabilistic programs that randomly increase and decrease 
a single counter (initialised with 0) so that upon termination the counter has a random 
value X £ "L. The programs should be such that X is a random variable with X = 
Y — Z where Y and Z are independent random variables with a geometric distribution with 
parameters p = 1/2 and p = 1/3, respectively. (By that we mean that Pr(y = k) = {l—p)^p 
for k £ {0, 1, . . .}, and similarly for Z.) Figure H] shows code in the syntax of the apex 
tool [H]. 

The program on the left consecutively runs two while loops: it first increments the 
counter according to a geometric distribution with parameter 1/2 and then decrements 
the counter according to a geometric distribution with parameter 1/3, so that the final 
counter value is distributed as desired. The program on the right is more efficient in that 
it runs only one of two while loops, depending on a single coin flip at the beginning. It 
may not be obvious though that the final counter value follows the same distribution as 
in the left program. We used the apex tool to translate the programs to the probabilistic 
reward automata B and C shown in Figure [3 Here each counter increment corresponds to 
a reward of 1 and each counter decrement to a reward of —1. Since the input alphabets are 
empty, it suffices to consider the input word e when comparing B and C for equivalence. 
If we construct the difference automaton A = (5, 1, 0, Af, o;, 77) and invert the matrix of 
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inc:com, dec: com |- 
var°/o2 flip; 
flip := 0; 

while (flip = 0) do { 

flip := coinEO: 1/2,1: 1/2] ; 
if (flip = 0) then { 
inc ; 

>; 

}; 

flip := 0; 

while (flip = 0) do { 

flip := coin[0:2/3,l:l/3] ; 
if (flip = 0) then { 
dec ; 

>; 

} 

: com 



inc : com , dec : com | - 
var7o2 flip; 

flip := coin[0: 1/2,1: 1/2] ; 
if (flip = 0) then { 
while (flip = 0) do { 

flip := coin[0: 1/2,1: 1/2] ; 
if (flip = 0) then { 
inc ; 

>; 

}; 

} else { 
flip := 0; 

while (flip = 0) do { 
dec ; 

flip := coin [0:2/3,1: 1/3] ; 

}; 

> 

: com 



Figure 4: Two apex programs for producing a counter that is distributed as the difference 
between two geometrically distributed random variables. 




Figure 5: Automata produced from the code in Figure [H The states are labelled with their 
number and their "acceptance probability" (r/- weight). In both automata, state 1 
is the only initial state (qi = 1 and ctj = for i ^ 1). The transitions are labelled 
with the input symbol e, with a probability (weight) and a cost. 

polynomials / — M(e), we obtain 

^[^m - (3^_2)(3;_2)' ^' 2(x-2)' 2(3x - 2) J = ° ' 



16 



S. KIEFER, A.S. MURAWSKI, J. OUAKNINE, B. WACHTER, AND J. WORRELL 



which proves equivalence of B and C. Notice that the actual algorithm would not compute 
A{e){x) as a polynomial, but it would compute A{e){r) only for a few concrete values r G Q. 

Example 5.5. RSA [22] is a widely-used cryptographic algorithm. Popular implementa- 
tions of the RSA algorithm have been shown to be vulnerable to timing attacks that reveal 
private keys |17l [6] . The preferred countermeasures are blinding techniques that randomise 
certain aspects of the computation, which are described in, e.g., |17j . We model the timing 
behaviour of the RSA algorithm using probabilistic cost automata, where costs encode time. 
These automata are produced by apex, and are then used to check for timing leaks with 
and without blinding. 

At the heart of RSA decryption is a modular exponentiation, which computes the value 
m'^ mod N where m € {0, . . . , — 1} is the encrypted message, d G N is the private 
decryption exponent and € N is a modulus. An attacker wants to find out d. We model 
RSA decryption in apex by implementing modular exponentiation by iterative squaring 
(see Figure [6]). We consider the situation where the attacker is able to control the message 
m, and tries to derive d by observing the runtime distribution over different messages m. 
Following [T7j we assume that the running time of multiplication depends on the operand 
values (because a source-level multiplication typically corresponds to a cascade of processor- 
level multiplications). By choosing the 'right' input message m, an attacker can observe 
which private keys are most likely. 

We consider two blinding techniques mentioned in Kocher [T7]. The first one is base 
blinding, i.e., the message is multiplied by r'^ before exponentiation where d is a random 
number, which gives a result that can be fixed by dividing by r but makes it impossible 
for the attacker to control the basis of the exponentiation. The second one is exponent 
blinding, which adds a multiple of the group order ip{N) of TLjNTL to the exponent, which 
doesn't change the result of the exponentiatiorQ but changes the timing behaviour. 

Figure [7] shows the automaton for = 10, and private key 0,1,0,1 with message 
blinding enabled. The apex program is given in Figure [6l 

We investigate the effectiveness of blinding. Two private keys are indistinguishable if 
the resulting automata are equivalent. The more keys are indistinguishable the safer the 
algorithm. We analyse which private keys are identified by plain RSA, RSA with a blinded 
message and RSA with blinded exponent. 

For example, in plain RSA, the following keys 0,1,0,1 and 1,0,0,1 are indistinguish- 
able, keys 0, 1, 1, and 0, 0, 1, 1 are indistinguishable with base blinding, lastly 1, 0, 0, 1 and 
1, 0, 1, 1 are equivalent only with exponent blinding. Overall 9 different keys are distinguish- 
able with plain RSA, 7 classes with base blinding and 4 classes with exponent blinding. 

6. Pushdown Automata and Arithmetic Circuits 

In a visibly pushdown automaton [3] the stack operations are determined by the input word. 
Consequently VPA have a more tractable language theory than ordinary pushdown au- 
tomata. The main result of this section shows that the equivalence problem for Q-weighted 
VPA is logspace equivalent to the problem ACIT of determining whether a polynomial 
represented by an arithmetic circuit is identically zero. 



Euler's totient function satisfies af^ ' = 1 mod A'' for all a £ Z. 
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const N := 10; // modulus 

const Bits := 4 ; // number of bits of the key 

m lint'/oN, inc:com |- 

var°/o2 exponent [Bits] = [0,1,0,1]; 

com power (x : int°/oN) { 

vary.N s := 1; 

var%N R; 

for (var% (Bits + 1) k; k < Bits; ++k) do { 

R:=s; 

if (exponent [k] ) then { 
R := R*x; 

if(5<=R) then { inc; inc } else { inc } 

} 

s := R*R; 

} 

} 

var7oN message := m*rand[N] ; // blinding 
power (message) : com 

Figure 6: APEX code for RSA. 



0_m, 1 




Figure 7: Modeling RSA decryption with APEX. 



A visibly pushdown alphabet E = ScUE^ UEi„t consists of a finite set of calls Ec, a finite 
set of returns E^., and a finite set of internal actions Ej„j. A visibly pushdown automaton 
over alphabet E is restricted so that it pushes onto the stack when it reads a call, pops the 
stack when it reads a return, and leaves the stack untouched when reading internal actions. 
Due to this restriction visibly pushdown automata only accept words in which calls and 
returns are appropriately matched. Define the set of well-matched words to be \J-^^Li, 
where Lq = Ej„4 + {e} and Lj+i = T^cWEr + LiLi- 

A Q-weighted visibly pushdown automaton on alphabet E is a tuple A = (n, a, rj, T, M), 
where n is the number of states, a is an n-dimensional initial (row) vector, rj is an n- 
dimensional final (column) vector, F is a finite stack alphabet, and M = (Mc, Mr, Mint) is a 
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tuple of matrix-valued transition functions with types Mc : Sc x T — t- Q"^", Mr : x F — > 
Q"^*" and Mint ■ ^int Q""""- If a G and 7 G T then Mc{a,j)ij gives the weight of an 
a-labelled transition from state i to state j that pushes 7 on the stack. If a S and 7 G T 
then Mr{a,j)ij gives the weight of an a-labehed transition from state i to j that pops 7 
from the stack. 

For each weh-matched word u E S* we define an n x n rational matrix M^-^\u) whose 
{i,j)-th entry denotes the total weight of all paths from state i to state j along input u. 
The definition of M^-^\u) follows the inductive definition of well-matched words. The base 
cases are M^-^^e) = I and M^-^\a)ij = Mint{a)ij. The inductive cases are 

M^-^\uv) = M^-^\u) ■ M^-^\v) (6.1) 

M^-^\aub) = ^Mc(a,7) •M('^)(u) •M^(5,7), (6.2) 

for a G Ec, 6 G S,.. 

The weight assigned by ^ to a well-matched word w is defined as A{w) := aM^-^\u)ri. 
We say that two Q-weighted VPA A and B are equivalent if for each well-matched word w 
we have A{w) = B{w). 

An arithmetic circuit is a finite directed acyclic multigraph whose vertices, called gates, 
have indegree or 2. Vertices of indegree are called input gates and are labelled with a 
constant or 1, or a variable from the set {xj : i G N}. Vertices of indegree 2 are called 
internal gates and are labelled with one of the arithmetic operations -|-, * or — . We assume 
that there is a unique gate with outdegree called the output. Note that C is a multigraph, 
so there can be two edges between a pair of gates, i.e., both inputs to a given gate can lead 
from the same source. We call a circuit variable-free if all inputs gates are labelled or 1. 

The Arithmetic Circuit Identity Testing (ACIT) problem asks whether the output of a 
given circuit is equal to the zero polynomial. ACIT is known to be in coRP but it remains 
open whether there is a polynomial or even sub-exponential algorithm for this problem p!]. 
Utilising the fact that a variable-free arithmetic circuit of size 0(n) can compute 2^ , 
Allender et al. [Ij give a logspace reduction of the general ACIT problem to the special 
case of variable-free circuits. Henceforth we assume without loss of generality that all 
circuits are variable-free. Furthermore we recall that ACIT can be reformulated as the 
problem of deciding whether two variable-free circuits using only the arithmetic operations 
-|- and * compute the same number [T|. 

We have the following proposition: 

Proposition 6.1. ACIT is logspace reducible to the equivalence problem for Q-weighted 
visibly pushdown automata. 

Proof. Let C and C be two circuits over basis {-|-, *}. Without loss of generality we assume 
that in each circuit the inputs of a depth-i gate both have depth i + 1, -|— nodes have even 
depth, *-nodes have odd depth, and input nodes all have the same depth d. Notice that in 
either circuit any path from an input gate to an output gate has length d. 

We define two automata A and A' that are equivalent if and only if C and C have the 
same output. Both automata are defined over the alphabet {c, r, l}, with c a call, r a return 
and L an internal event. We explain how A arises from C; the definition of A' is entirely 
analogous. 
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Suppose that C has set of gates {go,gi, ■ ■ ■ ,gn}, with go the output gate. For each gate 
gi of C we include a state Sj of A and a stack symbol 7j. The initial state of ^ is sq, and 
all states are accepting. The transitions of A are defined as follows: 

• For each +-gate gi := gj + gk in C we include an internal transition from Si that goes to 
Sj with probability 1/2 and to Sk with probability 1/2. 

• For each *-gate gi := gj * gk we include a probability- 1 call transition from Si to Sj that 
pushes 7fc onto the stack. 

• An input gate gi with label contributes no transitions. 

• For each input gate gi with label 1 and each stack symbol 7j , we include a return transition 
from Si that pops off the stack and ends in state Sj with probability 1. 

Recall that acceptance is by empty stack and final state. By construction A only accepts 
a single word, as we now explain. Define a sequence of words Wn G {c, r, t}* by wq = i, 
Wn+i = iWn for n even, and Wn+i = cWnTWn for n odd. Furthermore, write Mq = 1, 
M„-|_i = 2M„ for 11 even, and M„+i = for n odd. Then A accepts Wd with probability 
N/Md, where d is the depth of the circuit C and is output of C. All other words are 
accepted with probability 0. We conclude that C and C have the same value if and only if 
A and A' are equivalent. □ 

In the remainder of this section we give a converse reduction: from equivalence of Q- 
weighted VPA to ACIT. The following result gives a decision procedure for the equivalence 
of two Q-weighted VPA A and B. 

Proposition 6.2. A is equivalent to B if and only if A{w) = B{w) for all words w € -L„2, 
where n is the sum of the number of states of A and the number of states ofB. 

Proof. Recall that for each balanced word u G S* we have rational matrices M^"^^(m) and 
M^^\u) giving the respective state-to-state transition weights of A and B on reading u. 
These two families of matrices can be combined into a single family 

= { ( ^^0 ^""^ M(^)(n) ) • ^<5ll-"^atchedl 

of n X n matrices. Let us also write Mi for the subset of M. generated by those well-matched 
words u £ Li. 

Let a^-^\r]^-^'^ and cx^^\rj^^^ be the respective initial and final-state vectors of A and 
B. Then A is equivalent to B if and only if 

( a(^) )M ( ) = (6.3) 

for all M € A4. It follows that A is equivalent to B if and only if (j6.3p holds for all M in 
span(Al), where the span is taken in the rational vector space of n x n rational matrices. 
But span(A^j) is an ascending sequence of vector spaces: 

Span(A/(o) C Span(A^i) C Span(A42) ^ • • • 

It follows from a dimension argument that this sequence stops in at most n? steps and we 
conclude that span(A^) = span(7Vl„2). □ 
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Proposition 6.3. Given a Q-weighted visibly pushdown automaton A and n € N one can 
compute in logarithmic space a circuit that represents YIwgl o •^i'w) ■ 

Proof. From the definition of tlie language Li and tlie family of matrices M^-^^ we have: 

The above equation implies that we can compute in logarithmic space a circuit that repre- 
sents ^Yliw^Ln M'^'^^^w). The result of the proposition immediately follows by premultiplying 
by the initial state vector and postmultiplying by the final state vector. □ 

A key property of Q-weighted VPA is their closure under product. 

Proposition 6.4. Given (J-weighted VPA A and B on the same alphabet S one can define 
a synchronous-product automaton, denoted AiSi B, such that {A Cg) B){w) = A{uj)B{w) for 
all w e'S*. 

Proof. The proof exploits the fact that the stack height is determined by the input word, 
so the respective stacks of A and B operating in parallel can be simulated in a single stack. 

Let >1= (n(^),S,r(-^),M(^),a(-^),r7(^)) and S = (n^^), S, r('4), M^^), a(^), r7(^)). We 
define a product automaton C. Note that since the stack height is determined by the input 
word we can simulate the respective stacks of A and B using a single stack in C whose 
alphabet is the product of the respective stack alphabets of A and B. 

The number of states of C is n^-^^ -n^^^ The initial vector a^^') in the vector a^'^^ ^a^^^ 
and the final vector 

rjiC) is rji-A) xhe stack alphabet of C is T^-^) x T^^). Given 

a G Sc U T,r the transition matrix M^*^) (a, (7, 7')) is M^-^^a,-/) M^^\a,y). Likewise, 
given a € the transition matrix M^'^\a) is M^-^\a) (8) M^^^a). 

It is now straightforward to show that M^''^ {w) = M^"^-* (w) (8) M^^^ (w) for all balanced 
words u; G S*. The proof proceeds by induction on balanced words, following ()6.ip and 
(j6.2p . and using Proposition 12 . 1 1 on Kronecker products. □ 

Proposition 6.5. The equivalence problem for Q-weighted visibly pushdown automata is 
logspace reducible to ACIT. 

Proof. Let A and B be Q-weighted visibly pushdown automata with a total of n states 
between them. Then 

weL„ 

Thus A is equivalent to B iff J2wglJ-^ ^ -^)(^) + ^ B){w) = 2Y,^^^JA O B){w). But 
Propositions 16.31 and 16.41 allow us to translate the above equation into an instance of ACIT. 

□ 
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The trick of considering sums-of-squares of acceptance weights in the above proof is 
inspired by [29^ Lemma 1]. 

7. Conclusion 

It is known that deciding equivalence of Q- weighted finite automata is in NC |29] . We have 
shown that deciding minimahty is also in NC. Regarding the corresponding function prob- 
lems, we have given an RNC algorithm to decide equivalence and output a counterexample 
word in case the input automata differ, and an RNC algorithm to minimise an automaton. 
We do not know whether either of these problems is in NC. It would be interesting to 
explore whether there is a relationship between these two problems, and to relate them to 
other problems in RNC that are not known to be in NC, such as bipartite matching. 

For Q- weighted VPA the situation is more complete. We have shown that deciding 
equivalence is equivalent to polynomial identity testing, the complexity of which is an im- 
portant open problem. 

References 

[1] E.E. AUender, P. Biirgisser, J. Kjeldgaard-Pedersen, and P. Bro Miltersen. On the complexity of nu- 
merical analysis. SIAM J. Comput, 38(5):1987-2006, 2009. 

[2] S. Almagor, U. Boker, and O. Kupferman. What's decidable about weighted automata? In ATVA, 
volume 6996 of LNCS, pages 482-491. Springer, 2011. 

[3] R. Alur and P. Madhusudan. Visibly pushdown languages. In Proc. 36th Annual ACM Symposium on 
Theory of Computing STOC, pages 202-211. ACM, 2004. 

[4] R. Bellman. A Markovian Decision Process. Journal of Mathematics and Mechanics, 6, 1957. 

[5] M. Blum, A. Chandra, and M. Wegman. Equivalence of free boolean graphs can be decided probabilis- 
tically in polynomial time. Inf Process. Lett, 10(2):80-82, 1980. 

[6] D. Brumley and D. Boneh. Remote timing attacks are practical. Computer Networks, 48(5):701-716, 
2005. 

[7] J. W. Carlyle and A. Paz. Realizations by stochastic finite automata. J. Comput. Syst. Sci., 5(l):26-40, 
1971. 

[8] K. Chatterjee, L. Doyen, and T. A. Henzinger. Probabilistic weighted automata. In CONCUR, volume 

5710 of LNCS, pages 244-258. Springer, 2009. 
[9] A. Condon and R. Lipton. On the complexity of space bounded interactive proofs (extended abstract). 

In Proceedings of FOCS, pages 462-467, 1989. 
[10] S. A. Cook. A taxonomy of problems with fast parallel algorithms. Information and Control, 64(1-3) :2- 

22, 1985. 

[11] R. DeMillo and R. Lipton. A probabilistic remark on algebraic program testing. Inf. Process. Lett., 
7(4):193-195, 1978. 

[12] K. Etessami and M. Yannakakis. Recursive Markov chains, stochastic grammars, and monotone systems 
of nonlinear equations. J. ACM, 56(1):1:1-1:66, 2009. 

[13] R. Greenlaw, H.J. Hoover, and W.L. Ruzzo. Limits to parallel computation: P- completeness theory. 
Oxford University Press, 1995. 

[14] O. H. Ibarra, S. Moran, and L. E. Rosier. A note on the parallel complexity of computing the rank of 
order n matrices. Inf. Process. Lett., 11(4/5):162, 1980. 

[15] S. Kiefer, A.S. Murawski, J. Ouaknine, B. Wachter, and J. Worrell. Language equivalence for proba- 
bilistic automata. In CAV, volume 6806 of LNCS, pages 526-540, 2011. 

[16] Stefan Kiefer, Andrzej S. Murawski, Joel Ouaknine, Bjorn Wachter, and James Worrell. Apex: An 
analyzer for open probabilistic programs. In Madhusudan Parathasarathy and Sanjit A. Seshia, editors. 
Proceedings of the 24th International Conference on Computer Aided Verification (CAV), volume 7358 
of LNCS, pages 693-698, Berkeley, California, USA, 2012. Springer. 



22 S. KIEFER, A.S. MURAWSKI, J. OUAKNINE, B. WACHTER, AND J. WORRELL 



[17] P.C. Kocher. Timing attacks on implementations of DifRe-Hellman, RSA, DSS, and other systems. In 

CRYPTO, volume 1109 of LNCS, pages 104-113. Springer, 1996. 
[18] D. Krob. The equality problem for rational series with multiplicities in the tropical semiring is unde- 

cidable. Int. Journal of Alg. and Camp., 4(3):232-249, 1994. 
[19] A. Kuccra, J. Esparza, and R. Mayr. Model checking probabilistic pushdown automata. Logical Methods 

in Computer Science, 2(1): 1-31, 2006. 
[20] K. Mulmuley, U. V. Vazirani, and V. V. Vazirani. Matching is as easy as matrix inversion. In STOC, 

pages 345-354, 1987. 
[21] M. O. Rabin. Probabilistic automata. Inf. and Control, 6 (3):230-245, 1963. 

[22] R. L. Rivcst, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key 

cryptosystcms. Communications of the ACM, 21:120-126, 1978. 
[23] M.-P. Schiitzenberger. On the definition of a family of automata. Inf. and Control, 4:245-270, 1961. 
[24] J. Schwartz. Fast probabilistic algorithms for verification of polynomial identities. J. ACM, 27(4):701- 

717, 1980. 

[25] H. Scidl. Deciding equivalence of finite tree automata. SIAM J. Comput., 19(3):424 437. 1990. 

[26] G. Scnizergucs. The equivalence problem for deterministic pushdown automata is dccidablc. In ICALP, 

volume 1256 of LNCS. Springer, 1997. 
[27] C. Stirling. Deciding DPDA equivalence is primitive recursive. In ICALP, volume 2380 of Lecture Notes 

in Computer Science, pages 821-832. Springer, 2002. 
[28] W. Tzeng. A polynomial-time algorithm for the equivalence of probabilistic automata. SIAM Journal 

on Computing, 21(2):216-227, 1992. 
[29] W. Tzeng. On path equivalence of nondeterministic finite automata. Inf. Process. Lett, 58(l):43-46, 

1996. 

[30] R. Zippel. Probabilistic algorithms for sparse polynomials. In EUROSAM, volume 72 of Lecture Notes 
in Computer Science, pages 216-226. Springer, 1979. 



This work is iicensed under the Creative Commons Attribution-NoDerivs License. To view 
a copy of this license, visit http://creativeconra10ns.0rg/iicenses/by-nd/2.o/ or send a 
letter to Creative Commons, 1 71 Second St, Suite 300, San Francisco, CA 941 05, USA, or 
Eisenacher Strasse 2, 10777 Berlin, Germany 



